Blog

Cool beans

GDPR & Magento

What does the new General Data Protection Regulation (GDPR) mean for business owners using Magento e-commerce.

Well, as a business owner, you are what’s known as a data controller. Your web hosting company, Magento developer & any marketing tools (dotmailer, MailChimp etc.) are known as data processors. The protection of any personal data stored is the responsibility of the data controller.

GDPR covers all personal data held in your business & with your 3rd party processors.

All your data processors & sub processors have to be GDPR compliant.

GDPR does not supersede other laws, eg. if you have to keep personal data to justify V.A.T charges then this has to be kept for tax compliance.

What you need to do

Assign a staff member to look after Data Protection. Get data protection training & a certification. This is typically someone at board Level as they will require indemnity insurance to cover the liability of the role.

Specify the contact details of the assigned Data Protection Officer in your business.

Specify how to lodge a data subject access request.

Specify how long you hold personal information.

Remove any automatic opt-ins

In online forms all checkboxes must be empty. An empty box cannot imply acceptance.

Only collect information you require to run your business

Delete any personal information you have on servers, excel sheets, xml files etc. that are no longer used. This includes files containing personal information or emails with attachments.

“If you do not have the information you do not need to protect it”

Only keep one version of personal information. Keep copies only for backup & restore purposes, up to 4 backups is acceptable. Keeping more will need to be justified. Record the location of the backups in your data audit.

It is un-lawful to collect any extra information that you may use in the future. You must delete any information you have about individuals that you have no use for.

All data breaches need to be actioned with a preventative measure & recorded

Examples of data breaches:

Personal information being passed or coming into the possession of an unauthorised data processor or subprocessor.

Passing of personal data to into a non GDPR compliant country.

Passing of personal data to a third party without the knowledge of the data subject.

Personal information leaked as a result of a hack on a web-site.

Implement a data breach process & plan

Have an action plan in place & run worst case scenarios to test your plan.

Have a process in place for when someone is looking for a copy of their data. ( Subject Data Access Requests )

“I have a request for all personal data we hold for an individual to be exposed to them, what do I do ?”

Verify their identity.

Make sure you have the data before processing the request, if you do not have the data respond & say “I dont have the data”.

Do not create more personal data while performing the request.

Process the request.

Record it in you data audit log.

Do it within 20 days.

Update your contracts, NDA’s & Privacy policies on your web-site

All staff need to have signed NDA’s & data protection awareness training. A good rule of thumb is to include all staff even if they do not have direct access to personal information in the normal course of their duties.

All customer contracts have to be updated with a GDPR clause.

It is a good opportunity to do a data cleanup & make sure all your sub contractors are lawful, & that you have valid contracts with your customers.

If you have a data breach you must report this to the data commissioners office. Failure to do so is unlawful. You may get sued for not protecting personal data correctly. If your processes are found to be defective then you are liable for fines as well as the loss of reputation & loss of business.

What you can no longer do

1. You cannot send unsolicited emails to anyone. No more purchased lists or merging lists from different companies into other lists.

2. You cannot Auto email from Abandoned shopping carts offering discounts unless the shopper has opted in for email the top of the checkout.

3. You cannot refuse to give customers their personal details on request.